1NSENTER(1) User Commands NSENTER(1)
2
6 nsenter - run program in different namespaces
7
9 nsenter [options] [program [arguments]]
10
12 The nsenter command executes program in the namespace(s) that are spec‐
13 ified in the command-line options (described below). If program is not
14 given, then ``${SHELL}'' is run (default: /bin/sh).
15 Enterable namespaces are:
17 mount namespace
19 Mounting and unmounting filesystems will not affect the rest of
20 the system, except for filesystems which are explicitly marked
21 as shared (with mount --make-shared; see /proc/self/mountinfo
22 for the shared flag). For further details, see mount_names‐
23 paces(7) and the discussion of the CLONE_NEWNS flag in clone(2).
24 UTS namespace
26 Setting hostname or domainname will not affect the rest of the
27 system. For further details, see uts_namespaces(7).
28 IPC namespace
30 The process will have an independent namespace for POSIX message
31 queues as well as System V message queues, semaphore sets and
32 shared memory segments. For further details, see ipc_names‐
33 paces(7).
34 network namespace
36 The process will have independent IPv4 and IPv6 stacks, IP rout‐
37 ing tables, firewall rules, the /proc/net and /sys/class/net
38 directory trees, sockets, etc. For further details, see net‐
39 work_namespaces(7).
40 PID namespace
42 Children will have a set of PID to process mappings separate
43 from the nsenter process. nsenter will fork by default if
44 changing the PID namespace, so that the new program and its
45 children share the same PID namespace and are visible to each
46 other. If --no-fork is used, the new program will be exec'ed
47 without forking. For further details, see pid_namespaces(7).
48 user namespace
50 The process will have a distinct set of UIDs, GIDs and capabili‐
51 ties. For further details, see user_namespaces(7).
52 cgroup namespace
54 The process will have a virtualized view of /proc/self/cgroup,
55 and new cgroup mounts will be rooted at the namespace cgroup
56 root. For further details, see cgroup_namespaces(7).
57 time namespace
59 The process can have a distinct view of CLOCK_MONOTONIC and/or
60 CLOCK_BOOTTIME which can be changed using /proc/self/timens_off‐
61 sets. For further details, see time_namespaces(7).
62
64 Various of the options below that relate to namespaces take an optional
65 file argument. This should be one of the /proc/[pid]/ns/* files
66 described in namespaces(7), or the pathname of a bind mount that was
67 created on one of those files.
68 -a, --all
70 Enter all namespaces of the target process by the default
71 /proc/[pid]/ns/* namespace paths. The default paths to the tar‐
72 get process namespaces may be overwritten by namespace specific
73 options (e.g., --all --mount=[path]).
74 The user namespace will be ignored if the same as the caller's
76 current user namespace. It prevents a caller that has dropped
77 capabilities from regaining those capabilities via a call to
78 setns(). See setns(2) for more details.
79 -t, --target pid
81 Specify a target process to get contexts from. The paths to the
82 contexts specified by pid are:
83 /proc/pid/ns/mnt the mount namespace
85 /proc/pid/ns/uts the UTS namespace
86 /proc/pid/ns/ipc the IPC namespace
87 /proc/pid/ns/net the network namespace
88 /proc/pid/ns/pid the PID namespace
89 /proc/pid/ns/user the user namespace
90 /proc/pid/ns/cgroup the cgroup namespace
91 /proc/pid/ns/time the time namespace
92 /proc/pid/root the root directory
93 /proc/pid/cwd the working directory respectively
94 -m, --mount[=file]
96 Enter the mount namespace. If no file is specified, enter the
97 mount namespace of the target process. If file is specified,
98 enter the mount namespace specified by file.
99 -u, --uts[=file]
101 Enter the UTS namespace. If no file is specified, enter the UTS
102 namespace of the target process. If file is specified, enter
103 the UTS namespace specified by file.
104 -i, --ipc[=file]
106 Enter the IPC namespace. If no file is specified, enter the IPC
107 namespace of the target process. If file is specified, enter
108 the IPC namespace specified by file.
109 -n, --net[=file]
111 Enter the network namespace. If no file is specified, enter the
112 network namespace of the target process. If file is specified,
113 enter the network namespace specified by file.
114 -p, --pid[=file]
116 Enter the PID namespace. If no file is specified, enter the PID
117 namespace of the target process. If file is specified, enter
118 the PID namespace specified by file.
119 -U, --user[=file]
121 Enter the user namespace. If no file is specified, enter the
122 user namespace of the target process. If file is specified,
123 enter the user namespace specified by file. See also the
124 --setuid and --setgid options.
125 -C, --cgroup[=file]
127 Enter the cgroup namespace. If no file is specified, enter the
128 cgroup namespace of the target process. If file is specified,
129 enter the cgroup namespace specified by file.
130 -T, --time[=file]
132 Enter the time namespace. If no file is specified, enter the
133 time namespace of the target process. If file is specified,
134 enter the time namespace specified by file.
135 -G, --setgid gid
137 Set the group ID which will be used in the entered namespace and
138 drop supplementary groups. nsenter(1) always sets GID for user
139 namespaces, the default is 0.
140 -S, --setuid uid
142 Set the user ID which will be used in the entered namespace.
143 nsenter(1) always sets UID for user namespaces, the default is
144 0.
145 --preserve-credentials
147 Don't modify UID and GID when enter user namespace. The default
148 is to drops supplementary groups and sets GID and UID to 0.
149 -r, --root[=directory]
151 Set the root directory. If no directory is specified, set the
152 root directory to the root directory of the target process. If
153 directory is specified, set the root directory to the specified
154 directory.
155 -w, --wd[=directory]
157 Set the working directory. If no directory is specified, set
158 the working directory to the working directory of the target
159 process. If directory is specified, set the working directory
160 to the specified directory.
161 -F, --no-fork
163 Do not fork before exec'ing the specified program. By default,
164 when entering a PID namespace, nsenter calls fork before calling
165 exec so that any children will also be in the newly entered PID
166 namespace.
167 -Z, --follow-context
169 Set the SELinux security context used for executing a new
170 process according to already running process specified by --tar‐
171 get PID. (The util-linux has to be compiled with SELinux support
172 otherwise the option is unavailable.)
173 -V, --version
175 Display version information and exit.
176 -h, --help
178 Display help text and exit.
179
181 Eric Biederman ⟨biederm@xmission.com⟩
182 Karel Zak ⟨kzak@redhat.com⟩
183
185 clone(2), setns(2), namespaces(7)
186
188 The nsenter command is part of the util-linux package and is available
189 from Linux Kernel Archive ⟨https://www.kernel.org/pub/linux/utils/util-
190 linux/⟩.
191util-linux June 2013 NSENTER(1)